Graham Carberry, Managing Director in the Defence and Security team at Livingstone, explores the rise of cyber due diligence (‘cyber DD’) and why it is important for businesses that are going into a sale to have robust IT systems:
Cyber due diligence
You can’t be certain about much in M&A but here’s one thing we confidently predict: cyber DD will be the next big thing to feature in transactions as a separate, stand-alone due diligence exercise.
Today’s technology DD tends to focus on issues such as systems compatibility, and whether the vendor has up-to-date licences and a robust business continuity plan. Up until now, cyber DD has been a subsidiary element of the process.
The increasing threat of cyber attacks and the number of high profile breaches are driving a significant change in corporate mind-set. There is also the clear message, being pushed hard (and increasingly incentivised) by the government and institutions such as the Bank of England, that businesses must sharpen their risk awareness and strengthen their cybersecurity defences
Acquirers of companies are increasingly aware of these perils. In a survey published last year by Freshfields Bruckhaus Deringer, 90 per cent of respondents across US and Europe believed that information about cybersecurity weaknesses or breaches would reduce the sale price, while 83 per cent said that identified past data breaches, or a cyber incident mid-deal, would make an impact on that transaction.
The Defence sector
Increasingly, cybersecurity will be analysed in depth or specifically quantified as part of the acquisition process. If you want to see the future of cyber DD, look at a cutting-edge sector such as defence.
One major defence company we know has walked away from transactions, after signing heads of agreement, solely because of concerns about cybersecurity.
Ultimately, cybersecurity is an aspect of protecting value. As with so many aspects of preparing a business for sale, there is much that an owner-director should be doing.
Identify your most important data assets and how those assets are collected, used, stored and retained. Show how your internal data controls protect that data from being leaked or stolen (given that most breaches are the result of human behaviour, this will be about demonstrating a sustained effort to create and maintain awareness of security throughout the workforce, supported by appropriate training and validated by periodic reviews by external specialists – rather than just installing software patches.) Keep records of past security breaches and what actions were taken as a result. Develop a breach response plan. Assess the cybersecurity credentials of your sub-contractors – and customers.
Cybersecurity should now be a question on every acquirer or investor’s mind. For prospective sellers, being able to show that this issue has been taken seriously, and how underlying IP has been protected successfully is becoming increasingly critical to achieve a strategic price on exit.